SoftwarePractice.org: Home | Courseware | Wiki | Archive

Securing a web server

From SoftwarePractice.org

Some things you should do before making your server available...

Contents

[edit]

MySQL

Lots of good information here:

In particular:

  1. Remove anonymous accounts 
    /usr/local/mysql/bin/mysql -u root
mysql> DELETE FROM mysql.user WHERE User = '';
mysql> FLUSH PRIVILEGES;
  2. Set a password for the root account 
    mysql> UPDATE mysql.user SET Password = PASSWORD('newpwd') WHERE User = 'root';
mysql> FLUSH PRIVILEGES;

[edit]

phpMyAdmin

  1. Set up authentication to restrict access. The simplest one is "cookie." Change the following lines in the phpMyAdmin file config.inc.php: 
    $cfg['blowfish_secret'] = 'somephrase';
$cfg['Servers'][$i]['auth_type'] = 'cookie';

    Note: a drawback of cookie authentication is that any database user/password combination can be used, and phpMyAdmin will provide access to whatever that user has access to. So, make sure that your passwords for each individual database user are "hard to guess" as well!

  2. FIXME: restrict access in httpd.conf as well.
  3. Remove access to the libraries/ directory. I do this in httpd.conf. In your default server configuration, add: 
      <Directory /usr/www/default/public_html/aloha/admin/libraries>
    Order Deny,Allow
    Deny from all
  </Directory>
  4. Remove world read access. Assuming that you have your httpd running as the 'apache' user, make sure all files are only accessible to that user: 
    cd /path-to-phpMyAdmin/
chown -R apache:apache .
chmod -R o-r,o-w,o-x .

[edit]

Secure logins

Disable insecure services like ftp and telnet.

Use sudo to allow specified users access to root-like commands. Then disable root logins by adding this line to /etc/ssh/sshd_config: 

PermitRootLogin no

(Then restart sshd: /etc/rc.d/sshd restart, or something similar.)

[edit]

Startup and shutdown

Finally, make sure that your servers start when your system boots! This depends on the operating system you are using. In FreeBSD, I did it like this: 

cp /usr/local/apache2/bin/apachectl /usr/local/etc/rc.d/apachctl.sh
cp /usr/local/mysql/share/mysql/mysql.server /usr/local/etc/rc.d/mysql-server.sh
[edit]

See also

Optimizing a web server

Backing up a web server

Retrieved from "http://www.softwarepractice.org/wiki/Securing_a_web_server"
Personal tools